Firebox SOHO 6 Wireless

By Steven J. Vaughan-Nichols

August 29, 2003

If no one has ever coined the phrase 'good security comes in small boxes,' they should, because it describes this product from WatchGuard perfectly.

WatchGuard may not be a name that springs immediately to a Wi-Fi administrator's mind, but network security administrators know it well as one of the more trusted names in the business. But, with the introduction of their Firebox SOHO 6 Wireless line, it shouldn't be long before WatchGuard is a workplace name in Wi-Fi shops as well.

The Firebox SOHO 6 Wireless combines an Intersil chip-based 802.11b access point, 4-port Fast Ethernet switch, and a single Fast Ethernet Wide Area Network (WAN) port for either cable/DSL or network connections into a single, small red metallic package. So far, so ordinary. What sets the SOHO 6 apart from similar access point/firewalls like Sonicwall's SOHO TZW, is that it also includes WatchGuard's tried and true virtual private network (VPN) and firewall.

The VPN uses IP Security with Data Encryption Standard or the far more secure Triple DES for encryption.

Triple DES can be slow, but one of WatchGuard's chief virtues is that their devices can decrypt Triple DES in a hurry. With its Brecis multi-service 150MHz processor and 16MB of RAM, the SOHO 6 is no exception with a claimed throughput speed of 20Mbps. In informal tests, with a maximum throughput of 11Mbps over the Wi-Fi link, WatchGuard had no trouble keeping the encrypted data stream flowing.

Unfortunately, the SOHO 6 comes with only one Mobile VPN license for wireless users. With the SOHO 6 VPN Service Pack 1, due out shortly, you can have VPN services for as many wired users as your license covers. The basic SOHO 6 comes with a 10-user license that can be upgraded to 25 or 50 users.

The SOHO 6tc Wireless device, a SOHO 6 variation, though comes with six Branch Office Wi-Fi VPN seats. Multi-user Mobile User VPN licenses are available for the SOHO 6 in five-user packages to a maximum of eleven Wi-Fi VPN seats. If you want more, you'll need to move up to the Firebox III or Firebox V series.

The SOHO 6 also supports dynamic Domain Name Service (DNS) . With this, you can use VPN by domain names rather than requiring a static IP address. That's important for SOHOs since cable modems normally can never give you a static IP and DSL providers usually requires an extra charge for a static IP.

In addition, the SOHO 6 also boasts a stateful packet inspection (SPI) firewall. Ordinary firewalls, like the free ZoneAlarm, simply use static rules to examine Internet Protocol (IP) packets for their destination sockets and other basic information. For example, a packet headed to port 80 is likely to be going to a Web browser. If you find a program that's trying to pry at ports 135, 139, 445, and 593 though, chances are the Blaster virus is trying to make it in. Stateful packet filtering, though, can detect more subtle attacks by observing not just individual packets, but by examining the network stream that those packets form to determine exactly what mischief a program might be up to.

Unlike plain-Jane firewalls, the SOHO 6 will also work with authentication systems like Remote Authentication Dial-In User Service and Windows Active Directory. This helps stop unauthorized users and processes from working against you within your firewall.

Besides the big security things, another nice thing about the SOHO 6 is that WatchGuard gets the small things right. For example, besides just having a Dynamic Host Configuration Protocol (DHCP) server, it has a DHCP relay. This automatic utility looks for a secure connection to your network's DHCP. If it can't find the authorized DHCP server in 30 seconds, only then will it use its own DHCP server to deliver an IP address.

One of the best things about any WatchGuard system is that it comes with a 90-day subscription to WatchGuard's superb LiveSecurity Service. LiveSecurity provides you with firmware patches to stop the latest threats and keeps you informed of the latest security and viral news. This can be a real time saver for anyone in charge of network security and doesn't have enough hours in the day to keep track of the ever-changing world of computer and network threats.

Sounds great doesn't it? And, it is, if all you wanted was a firewall and VPN box. But, as a Wi-Fi device, the WatchGuard lacks certain basics such as advanced 802.11a, 802.11b+ or 802.11g support. How much life can there be in ordinary old 802.11b even in a small business?

The box also doesn't support the more advanced Wi-Fi security measures such as 802.1X and Wi-Fi Protected Access (WPA) for authentication and security. Of course, one could argue that with the included VPN and firewall, you don't need those features. I think a best of breed Wi-Fi security device should have the best of current wired and wireless security in the same device.

At an average street price of $529.99, the SOHO 6 is reasonable. But, to get the most out of it, you'll also need to pay for a longer subscription to LiveSecurity Service and more VPN licenses, which puts it closer to the SonicWALL price range. Even with that taken into consideration though, the SOHO 6 is probably, by a nose, the best single Wi-Fi security device and access point for the money on the market today.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.